1 { pkgs, lib, config, nixosConfig, ... }:
4 home.activation.gnupg = lib.hm.dag.entryAfter ["writeBoundary"] ''
5 install -d -m700 ${lib.escapeShellArg config.programs.gpg.homedir}
10 enableSshSupport = true;
11 enableExtraSocket = true;
12 pinentryFlavor = lib.mkDefault (if nixosConfig.services.xserver.enable then "gtk2" else "curses");
14 programs.gpg.enable = true;
15 programs.gpg.settings = {
16 #auto-key-locate = "keyserver";
17 auto-key-locate = false;
18 cert-digest-algo = "SHA512";
20 default-keyring = false;
21 default-preference-list = "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 TWOFISH BZIP2 ZLIB ZIP Uncompressed";
23 fixed-list-mode = true;
24 keyid-format = "0xlong";
25 keyserver-options = "no-honor-keyserver-url";
26 personal-cipher-preferences = "AES256 AES CAST5";
27 personal-digest-preferences = "SHA512";
29 s2k-cipher-algo = "AES256";
31 s2k-digest-algo = "SHA512";
33 tofu-default-policy = "unknown";
34 trust-model = "tofu+pgp";
35 #with-fingerprint = [ true true ];
39 home.file."${config.programs.gpg.homedir}/dirmngr.conf".text = ''
41 keyserver hkps://keys.openpgp.org
46 home.packages = lib.mkIf config.programs.gpg.enable [
47 (pkgs.pass.withExtensions (ext: with ext; [